Election Crime Bureau

Made possible by the Lindell Offense Fund
Donate

Rock the Vote API Access to Qualified Voter File – 25,000 Unvetted Third-Party Partners (MI)

Established Fact

The Michigan Department of State, under Secretary Jocelyn Benson, established API contracts granting Rock the Vote and approximately 25,000 partner organizations direct remote access to Michigan’s Qualified Voter File (QVF), which contains voters’ Personally Identifiable Information (PII), including partial Social Security Numbers and driver’s license numbers. These access agreements were executed without NIST-compliant security vetting of the 25,000 partner entities and without individualized Organizational Conflict of Interest (OCI) review. The QVF is the foundational voter roll database for all Michigan election administration; its exposure to 25,000 unvetted third parties created both a data security vulnerability and a structural pathway for partisan database manipulation.

Citations

Michigan Department of State, New Tool Allows Civic Groups to Conduct Voter Registration Drives Digitally (June 15, 2020), https://www.michigan.gov/sos/0,4670,7-127-1640_9150-531981–,00.html.

Michigan Fair Elections, What’s This Fuss about the QVF? (July 2023), https://www.mifairelections.org/post/what-s-this-fuss-about-the-qvf; Michigan Voting, Secure & Accurate Elections, https://www.michiganvoting.org/secure-and-accurate-elections.

Rock the Vote “Rocky RESTFUL API Specifications, https://rock-the-vote.github.io/Voter-Registration-Tool-API-Docs/

Rock the Vote, Rocky RESTful API Version 4.0, § “Release Notes: V2.2”; § “registrations” and “gregistrations” interface definitions (noting the prior existence of GET methods for both), https://rock-the-vote.github.io/Voter-Registration-Tool-API-Docs/.

MCL § 168.509aa et seq. (QVF confidentiality and security requirements)

Under V2 and V3, partners had synchronous, on-demand, authenticated read access to all registrant PII records submitted through their partner ID, via:

  • GET /api/v2/registrations.json — returns registrant records directly in the API response body, filterable by since datetime and email
  • GET /api/v2/gregistrations.json — same, for government-redirect registrant records

These endpoints required only a valid partner_id and partner_API_key to execute. A successful call returned the full registrant data set — including name, DOB, address, id_number (SSN or driver’s license), email, and all opt-in preference fields — synchronously, inline, in the response body.

More Evidence